Introduction of PFS ensures protection of encrypted data even if another party obtains decryption keys, as US and UK intelligence agencies have done in the past according to whistleblower Edward Snowden.

An internal team of security engineers has spent several months implementing PFS, which adds an extra layer of security to the widely used HTTPS encryption.

Google, Facebook, Dropbox and Tumblr have all implemented PFS, and LinkedIn is understood to be introducing it in 2014, according to the Guardian.

Ironically, the ECDHE method was first developed by GCHQ and remained classified until it was patented by US cryptographers Whitfield Diffie and Martin Hellman, who made the discovery independently.

In a blog post announcing the implementation, Twitter said PFS is what should be the “new normal” for web service owners to protect users from all predators on the internet.

“If you are a webmaster, we encourage you to implement HTTPS for your site and make it the default. If you already offer HTTPS, ensure your implementation is hardened with HTTP Strict Transport Security, secure cookies, certificate pinning, and Forward Secrecy,” the post reads.

Twitter also calls on website users to demand that the sites they use implement HTTPS to help protect privacy and to use an up-to-date web browser with the latest security improvements.

“HTTPS is surprisingly important for any web service that lets you login up front and then stay logged in indefinitely,” said Paul Ducklin, security technologist at security firm Sophos.

“That's because your logged-in status is usually dealt with by a session cookie that is used by the server to recognise a user and transmitted in the HTTP traffic,” he wrote in a blog post.

According to Ducklin, without HTTPS to encrypt the cookie between the browser and the server, an attacker could sniff the traffic, extract the cookie and use it to masquerade as a legitimate users.

Plain HTTPS only requires the server to send a user a public key to which it has a matching private key, allowing the server to use the same public-private keypair over and over again.

HTTPS with forward secrecy, however, requires the server to send you a public key that is unique to a session, so the corresponding private key can be destroyed after use, said Ducklin.

“That's how the forward secrecy is achieved: once the decryption keys from your session are destroyed, any copies of the encrypted data are effectively ‘nailed down’ into an eternally-encrypted state, like a padlock to which you've lost the key,” he said.

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy